YALE-MSS-9.5: Require Multifactor Authentication (MFA) for access to authenticated systems

Standards Group:
YALE-MSS-9: Authentication and Authorization

YALE-MSS-9.5: Require Multifactor Authentication (MFA) for access to authenticated systems

Low Risk Endpoint Required for IA Moderate Risk Endpoint Required for IA High Risk Endpoint Required for IA Low Risk Server Required for IA Moderate Risk Server Required for IA High Risk Server Required for IA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Required for IA Moderate Risk Network Printer Required for IA High Risk Network Printer Required for IA

Details

Multifactor authentication (MFA) improves on traditional authentication by requiring users to provide more than a username and password. In addition to something you know (e.g, password), MFA may require you to present something you have (e.g., smartphone, security key) or something you are (e.g., fingerprint, face geometry).

MFA offers another layer of defense to protect access to an account in the event a username and password are compromised.

Web applications should use Yale's approved single sign-on (SSO) methods to provide MFA (CAS, SAML, Shibboleth, and Microsoft Entra).

If an IT system is vendor-hosted and Yale's SSO cannot be employed, it is acceptable to use a vendor-provided MFA option.

For SSH, the use of MFA through Yale's Duo meets this requirement. Also, the use of SSH with password-protected keys or certificates is considered to meet this requirement.